none
Group Policy Not Being Applied

    Question

  • I'm having a problem with a group policy and I'm not sure where to look next.  I have two policies:

    • Disable USB - disables the ability to write to removable media via the user configuration settings in Admin Templates - System - Removable Storage Access.  Applied to Accounts OU with "authenticated users" as the security filter and no WMI filter
    • Enable USB - enables all the stuff disabled by the above.  Enforced = yes.  Applied to accounts OU and has "AllowUSB" group as the security filter.  Again, no WMI filter.

    I have a user that cannot write to removable media but they are in the AllowUSB group.  We have two domain controllers and I have confirmed that replication has occurred - the AllowUSB group is present and the user is a member on both Domain Controllers.

    I ran gpresult /v and confirmed:

    • The group policy was applied within minutes of confirming the above settings
    • The group policy was applied to the "closest" domain controller which is where I created the group, policies, etc. in the first place
    • The Disable USB policy ran with no problems and shows up in the "applied group policy objects"

    Here's my problem - the enable policy doesn't show up anywhere in the gpresult - not even in the "no applied" section as filtered out.  It's like the policy didn't exist.  Please correct me if I'm wrong but if the policy is applied to the OU that this person is a member of, the policy should appear in either the "applied" or "not applied" sections of gpresult.

    This is driving me nuts - what did I miss?

    Tuesday, January 12, 2016 10:11 PM

All replies

  • Here's another strange thing:  I am also in the "AllowUSB" group and when I run the gpresult /v, it clearly shows that the enable USB GPO was filtered out with the following: "Filtering:  Denied (Security)"

    I just now verified the link order and Enable is above (lower priority number) than Disable. 

    I really need some help on figuring this out.

    Tuesday, January 12, 2016 10:56 PM
  • Do you have Loopback enabled? If Loopback "Merge" mode is enabled, the
    computer account needs read access to all user GPOs...
     
    And just to make sure: The user logged off/on to update the group
    membership in its TGT, hopefully :)
     
    Wednesday, January 13, 2016 2:02 PM
  • Thank you very much for the response.

    I am not familiar with the Loopback modes - I'll have to dig into that.  But just in case it's not clear, the GPO is purely user configurations applied to an OU with only user objects - does Loopback matter?  I'll try to get time to look into that this afternoon. 

    And yes, we've logged on/off multiple times.


    • Edited by tskin Wednesday, January 13, 2016 3:15 PM
    Wednesday, January 13, 2016 3:15 PM
  • > But just in case it's not clear, the GPO is purely user configurations
    > applied to an OU with only user objects - does Loopback matter?
     
    In this case, it should not :)
     
    Hm - stumped... In the gpresult output, you see the group memberships
    for the user when gpos were processed. Is the AllowUSB group listed?
     
    And just to make sure: When highlighting the AllowUSB GPO in gpmc and
    switching to the delegation tab, there are NO special entries there?
    ("Deny" ACLs are invisible in the security filtering list on the first tab).
     
    Wednesday, January 13, 2016 3:24 PM
  • Hi Tskin,

    Enable USB - enables all the stuff disabled by the above. 

     Applied to accounts OU and has "AllowUSB" group as the security filter.  Again, no WMI filter.

    >>>Is there only “AllowUSB” group as the security filtering?

    Here's my problem - the enable policy doesn't show up anywhere in the gpresult - not even in the "no applied" section as filtered out. 

    >>>if there is only “AllowUSB” group as the security filtering, the enable policy display with GUID instead of GPO name in gpresult when running gpresult /h <file path> with the user which is not a member of AllowUSB group. And you could see reason denied: inaccessibale.

     I am also in the "AllowUSB" group and when I run the gpresult /v, it clearly shows that the enable USB GPO was filtered out with the following: "Filtering:  Denied (Security)"

    >>>According to my test, the behavior may be caused by denying apply group policy. You could check it in Advanced of Delegation tab.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 14, 2016 8:43 AM
    Moderator
  • Thanks for the replies so far.  Bizarrely, the group policy was applied correctly this morning.  I've changed nothing but today it decided to work.  This either means that the issue resolved itself - perhaps through some sort of replication mechanism - or it will recur later and I will need to track down the ghost in the machine.

    Jay - with regards to denying group policy, wouldn't that need to be manually configured? No one gets "deny" on group policy without an admin specifically denying them, right? I double checked and no one has deny but I just want to know for future reference as I'm creating and deploying policy.


    Edit:  Oh - and yes, only AllowUSB in the security filter and I will try the gpresult /h if it happens again.
    • Edited by tskin Thursday, January 14, 2016 2:53 PM
    Thursday, January 14, 2016 2:52 PM
  • Hi Tskin,

    Jay - with regards to denying group policy, wouldn't that need to be manually configured? No one gets "deny" on group policy without an admin specifically denying them, right?

    >>>Yes, we need configure deny apply group policy manually.

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, January 15, 2016 5:54 AM
    Moderator
  • I've found some more users with issues... after some more digging, I've found something strange that may be causing this issue.  I ran "net user USER /domain" and the user IS in the "AllowUSB" group - it shows up in the list that this command generates. 

    However - if I run gpresult, the GP is filtered out (Denied, Security) and the "AllowUSB" group does NOT show up in the list of groups that follows. 

    Why would net user clearly show that he IS a member of the group but gpresult does not?

    Thursday, January 21, 2016 2:59 PM
  • > Why would /net user /clearly show that he IS a member of the group but
    > /gpresult /does not?
     
    Can we assume that the user has logged off/on after he was added? What's
    the outcome of "whoami /groups" for that user - how many groups are listed?
     
    Thursday, January 21, 2016 3:19 PM
  • Yes, I had him completely reboot so that it would be a fresh login.  And you're right, the "AllowUSB" group is not listed in the "whoami /groups" command.  Why would it be in the net user command but not the whoami command?
    Thursday, January 21, 2016 3:24 PM
  • Is there anything with the groups that are used as a security filter that would interfere with the application of group policy?  The "AllowUSB" group is a Global Security Group (it started out as a universal group somewhere along the way) and contains two other Global Security Groups inside it.  The users in question are members of these internal security groups.  Does that matter?
    Thursday, January 21, 2016 10:55 PM
  • Could you try to apply this user policy from computer configuration. 

    Regards, Krselva. Please remember to mark the replies as answers if its helps you, and unmark the answers if it is not help you.

    Friday, January 22, 2016 12:03 AM
  • > you're right, the "AllowUSB" group is not listed in the "whoami /groups"
     
    How many groups are listed???
     
    Friday, January 22, 2016 11:46 AM
  • Could you try to apply this user policy from computer configuration. 

    Regards, Krselva. Please remember to mark the replies as answers if its helps you, and unmark the answers if it is not help you.


    I'm not sure I understand the reasoning for this one - the enable/disable policies apply to the User Config\Policies\Administrative Templates\System/Removable Storage Access.  Since they're user policies, I apply them to users - it's my understanding that strange things can happen when you apply user policies to machines and vice versa.
    Friday, January 22, 2016 4:24 PM
  • Looks like about 20-25 depending on who's logged in.  For some folks, everything works like it should - for others, it doesn't.  I can't figure out what the difference is.
    Friday, January 22, 2016 4:27 PM